Skip to content
LexBuild

32 CFR § 170.21 - Plan of Action and Milestones requirements. 

---
identifier: "/us/cfr/t32/s170.21"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "32 CFR § 170.21 - Plan of Action and Milestones requirements."
title_number: 32
title_name: "National Defense"
section_number: "170.21"
section_name: "Plan of Action and Milestones requirements."
chapter_name: "OFFICE OF THE SECRETARY OF DEFENSE"
subchapter_number: "G"
subchapter_name: "DEFENSE CONTRACTING"
part_number: "170"
part_name: "CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PROGRAM"
positive_law: false
currency: "2026-04-05"
last_updated: "2026-04-05"
format_version: "1.1.0"
generator: "[email protected]"
authority: "5 U.S.C. 301; Sec. 1648, Pub. L. 116-92, 133 Stat. 1198."
regulatory_source: "89 FR 83214, Oct. 15, 2024, unless otherwise noted."
cfr_part: "170"
---

# 170.21 Plan of Action and Milestones requirements.

(a) *POA&M.* For purposes of achieving a Conditional CMMC Status, an OSA is only permitted to have a POA&M for select requirements scored as NOT MET during the CMMC assessment and only under the following conditions:

(1) *Level 1 self-assessment.* A POA&M is not permitted at any time for Level 1 self-assessments.

(2) *Level 2 self-assessment and Level 2 certification assessment.* An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:

(i) The assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8;

(ii) None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2-3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and

(iii) None of the following security requirements are included in the POA&M:

(A) AC.L2-3.1.20 External Connections (CUI Data).

(B) AC.L2-3.1.22 Control Public Information (CUI Data).

(C) CA.L2-3.12.4 System Security Plan.

(D) PE.L2-3.10.3 Escort Visitors (CUI Data).

(E) PE.L2-3.10.4 Physical Access Logs (CUI Data).

(F) PE.L2-3.10.5 Manage Physical Access (CUI Data).

(3) *Level 3 certification assessment.* An OSC is only permitted to achieve the CMMC Status of Conditional Level 3 (DIBCAC) if all the following conditions are met:

(i) The assessment score divided by the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and

(ii) The POA&M does not include any of following security requirements:

(A) IR.L3-3.6.1e Security Operations Center.

(B) IR.L3-3.6.2e Cyber Incident Response Team.

(C) RA.L3-3.11.1e Threat-Informed Risk Assessment.

(D) RA.L3-3.11.6e Supply Chain Risk Response.

(E) RA.L3-3.11.7e Supply Chain Risk Plan.

(F) RA.L3-3.11.4e Security Solution Rationale.

(G) SI.L3-3.14.3e Specialized Asset Security.

(b) *POA&M closeout assessment.* A POA&M closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA&M in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180-days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire.

(1) *Level 2 self-assessment.* For a Level 2 self-assessment, the POA&M closeout self-assessment shall be performed by the OSA in the same manner as the initial self-assessment.

(2) *Level 2 certification assessment.* For Level 2 certification assessment, the POA&M closeout certification assessment must be performed by an authorized or accredited C3PAO.

(3) *Level 3 certification assessment.* For Level 3 certification assessment, DCMA DIBCAC will perform the POA&M closeout certification assessment.